Breaking SSL on embedded devices

Developers use embedded devices all the time, often without implementing security measures. When they do, they often rely on SSL. As revealed by the LittleBlackBox project there exists a collection of thousands of private SSL keys extracted from various embedded devices. These private keys are stored in a database where they are correlated with their public SSL certificates as well as the hardware/firmware that are known to use those SSL keys.

As summarized by Embedded Device Hacking, “That means that if Alice and Bob are both using the same router with the same firmware version, then both of their routers have the same SSL keys. All Eve needs to do in order to decrypt their traffic is to download the firmware from the vendor’s Web site and extract the SSL private key from the firmware image.”

Interesting.

This entry was posted in hacks, reversed, security, utilities and tagged , .

Comments

  1. Conversely, all Eve needs to do is download an open source firmware and compile in a newly-created SSL private key. Then Bob has no hope of spying on Eve.

Leave a Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Notify me of followup comments via e-mail. You can also subscribe without commenting.